Age | Commit message (Collapse) | Author |
|
|
|
|
|
It is possible to install a route-map which filters the routes between routing
daemons and the OS kernel (zebra)
As of now this can be done by e.g.
* set protocols ospf route-map foo
* set protocols ospfv3 route-map foo
* set protocols bgp route-map foo
Which in turn will install the following lines into FRR
* ip protocol ospf route-map foo
* ipv6 protocol ospf6 route-map foo
* ip protocol bgp route-map foo
The current state of the VyOS CLI is incomplete as there is no way to:
* Install a filter for BGP IPv6 routes
* Install a filter for static routes
* Install a filter for connected routes
Thus the CLI should be redesigned to close match what FRR does for both the
default and any other VRF
* set system ip protocol ospf route-map foo
* set system ipv6 protocol ospfv3 route-map foo
* set system ip protocol bgp route-map foo
* set system ipv6 protocol bgp route-map foo
The configuration can be migrated accordingly. This commit does not come with
the migrator, it will be comitted later.
|
|
T5081: ISIS and OSPF syncronization with IGP-LDP sync
|
|
Initially the option 'rate-limit' was implemented with the
wrong place in the CLI:
set vpn pptp remote-access authentication rate-limit <xxx>
Expected under 'radius' section:
set vpn pptp remote-access authentication radius rate-limit <xxx>
Configuration for 'rate-limit' (Jinja2 template) never worked for
pptp, fix it.
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get hostname from FQDN and then from hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exectly host we get metric for
InfluxDB2
|
|
The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows
this by default in their wpa_supplicant package, but their
`allow-tlsv1.patch` patch does not work properly with VyOS' newer
wpa_supplicant package, which is based on the latest code in git. As a
result, wpa_supplicant always respects the system-wide openssl crypto
policy, disallowing TLSv1. The commit uses the documented way of
allowing TLSv1, which takes precedence over the system crypto policy.
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
|
|
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
We now support assigning discrete IPv6 addresses to a container.
|
|
|
|
T5128: Policy Route: allow wildcard on interface
|
|
Add op-mode for sFlow based on hsflowd "show sflow"
Add machine readable format '--raw' and formatted output
|
|
|
|
|
|
dns: T5115: Support custom port for name servers for forwarding zones
|
|
As podman is going to use netavark as new default we must explicitly select
the old driver until we have migrated to netavark.
|
|
This would allow using custom ports in name server operating on non-
default port for forwarding zones.
This is a follow-up to T5113 for sake of completeness and having
consistent treatment of all name servers configured in PowerDNS recursor.
Additionally, migrate `service dns forwarding domain example.com server`
to `service dns forwarding domain foo3.com name-server` for consistency
and reusability.
|
|
|
|
|
|
This is basic configuration to enable NTS support in chrony.
|
|
T5099: IPoE-server add option next-pool for named ip pools
|
|
ipsec: T5043: Rewritten and fixed 'reset vpn' commands
|
|
In cases with multiple named IP pools, it is required the option 'next'
to be sure that if IP addresses ended in one pool, then they would
begin to be allocated from the next named pool.
For accel-ppp it requires specific order as pool must be defined
before we can use it with the 'next-option'
set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25'
set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool'
set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25'
[ip-pool]
203.0.113.0/25,name=second-pool
192.0.2.0/25,name=first-pool,next=second-pool
|
|
|
|
hsflowd will export the headers of dropped packets (along with the
name of the function in the Linux kernel where that skb was dropped)
as part of the standard sFlow feed.
This measurement complements the sFlow packet sampling and
counter-telemetry well because it provides visibility into the
traffic that is not flowing.
Very helpful for troubleshooting.
The limit (a rate limit max of N drops per second sent out in the
sFlow datagrams) is the parameter you would set in the CLI.
set system sflow drop-monitor-limit 50
|
|
T5092: IPoE-server named pool must not rely on auth type
|
|
1. Rewritten CLI of 'reset vpn' commands.
2. Created 'reset vpn ipsec remote-access' commands to reset
RA IKEv2 session.
3. Created 'reset vpn ipsec site-to-site all' command to reset all
configured IPSec site-to-site peers sessions.
4. Rewritten 'reset vpn l2t|pptp|sstp' commands to
new opmode style.
|
|
Named pools for ipoe-server must not rely on autentication type
It is a separate global option for [ipoe] and [ip-pool] sections
|
|
Add sFlow feature based on hsflowd
According to user reviews, it works more stable and more productive
than pmacct
I haven't deleted 'pmacct' 'system flow-accounting sflow' yet
It could be migrated or deprecated later
set system sflow agent-address '192.0.2.14'
set system sflow interface 'eth0'
set system sflow interface 'eth1'
set system sflow polling '30'
set system sflow sampling-rate '100'
set system sflow server 192.0.2.1 port '6343'
set system sflow server 192.0.2.11 port '6343'
|
|
Add template to generate zebra
"ipv6 protocol ospf6 route-map xxx"
|
|
Fix podman error about invalid storage:
[graphdriver] prior storage driver overlay failed: 'overlay' is not supported
over overlayfs, a mount_program is required: backing file system is unsupported
for this graph driver" Error: 'overlay' is not supported over overlayfs, a
mount_program is required: backing file system is unsupported for this graph
driver.
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
|
|
qos: T5018: Fix issues between QoS and interface mirror/redirect
|
|
This will check if mirror/redirect is present on a QoS interface and use `vyos.configdep` module to update the interface again after QoS is applied.
|
|
If the 'client-subnet' is not used we must exclude it
from the ipoe.config.j2 template.
Otherwise we get wrong empty parameter ',range=,'
|
|
Fix incorrect regex '\d+' when used vlan ranges
For example 'ipoe-server interface eth1 vlan 2000-3000'
- replace 'interface=re:eth1\.\d+'
=> 'interface=re:^eth1\.(200\d|20[1-9]\d|2[1-9]\d{2}|3000)$'
|
|
After rewriting IPoE server for config.dict the ipoe.config.j2
template wasn't changed for 'vlan-mon' section
Fix it
|
|
T4977: Add Babel routing protocol support
|
|
login: T4943: Fixed 2FA + RADIUS compatibility
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
T5029: Change nginx default root directory
|
|
|
|
|
|
* We will need to remove insecure ciphers as a long-term solution (BF-CBC, DES...)
|
|
Disabling authentication is useful in emergency situations
(e.g. RADIUS server is down) or testing purposes.
Clients can connect with any login and username.
set service pppoe-server authentication mode 'noauth'
|
|
debian: T5003: Upgrade base system to Debian 12 "Bookworm"
|
|
Not supported with swanctl
|
|
Fixes "chronyd: Fatal error : Not superuser"
Fixes "ip[6394]: Failed to open mounts file: No such file or directory" when in VRF
|
|
|